AWS GuardDuty Detector Deleted Or Updated

Original Source: [Sigma source]
Title: AWS GuardDuty Detector Deleted Or Updated
Status: experimental
Description:Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. Verify with the user identity that this activity is legitimate.
References:
  -https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html
   -https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html
   -https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_suspend-disable.html
   -https://docs.datadoghq.com/security/default_rules/719-39f-9cd/
   -https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-guardduty-detector-is-enabled
   -https://docs.stellarcyber.ai/5.2.x/Using/ML/Alert-Rule-Based-Potentially_Malicious_AWS_Activity.html
   -https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon%20Web%20Services/Analytic%20Rules/AWS_GuardDutyDisabled.yaml
   -https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml
   -https://help.fortinet.com/fsiem/Public_Resource_Access/7_4_0/rules/PH_RULE_AWS_GuardDuty_Detector_Deletion.htm
   -https://research.splunk.com/sources/5d8bd475-c8bc-4447-b27f-efa508728b90/
   -https://suktech24.com/2025/07/17/aws-threat-detection-rule-guardduty-detector-disabled-or-suspended/
   -https://www.atomicredteam.io/atomic-red-team/atomics/T156001#atomic-test-46---aws---guardduty-suspension-or-deletion
 Author: suktech24
Date: 2025-11-27
modified:None
Tags:
  • -'attack.defense-evasion'
  • -'attack.t1562.001'
  • -'attack.t1562.008'
Logsource:
  • product: aws
  • service: cloudtrail
Detection:
  selection_event_source:
    eventSource: 'guardduty.amazonaws.com'
  selection_action_delete:
    eventName: 'DeleteDetector'
  selection_action_update:
    eventName: 'UpdateDetector'
    requestParameters.enable: 'false'
  selection_status_success:
    errorCode: 'Success'
  selection_status_null:
    errorCode: 'None'
  condition:selection_event_source and 1 of selection_action_* and 1 of selection_status_*
Falsepositives:
  -Legitimate detector deletion by an admin (e.g., during account decommissioning).
  -Temporary disablement for troubleshooting (verify via change management tickets).
  -Automated deployment tools (e.g. Terraform) managing GuardDuty state.
Level: high

© 2024 DetectionCode Website. All Rights Reserved.